.png)
7 hours ago
6 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi everyone. This time I have come up with a write-up of an misconfiguration of a SMB server that i came across while testing a target.
Let’s start by knowing what SMB (Server Message Block)
Server Message Block (SMB) is a communication protocol used to share files, printers, serial ports, and miscellaneous communications between nodes on a network. SMB provides client applications with a secure and controlled method for opening, reading, moving, creating and updating files on remote servers. The protocol can also communicate with server programs configured to receive SMB client requests.
Let’s take the target as “target.com”. After initial recon, i wanted to test the services in shodan. Following Orwa Atyat shodan recon techniques, I started searching my target in shodan.
ssl.cert.subject.cn:target.com
I found an ip address that pointed to “variated.target.com”
Shodan showed that there was a open SMB service running in that ip address. I went to censys to check other details and verified the issue.
Later i also confirmed it through a nmap scan using command:
nmap -sC -sV <target_ip> -p445 -Pn
Here,
-sC runs the default scriptssV is for discovering service versions-p445 for specifying specific port to test-Pn for disabling host discovery [Nmap tries to determine if hosts are online before scanning them by sending ICMP echo requests (ping) and sometimes other probes (like TCP SYN or ACK packets). If a host doesn’t respond, Nmap may skip scanning it.]After confirmation, I used the default nmap script for enummerating smb shares and to check if i get any valid response.
nmap — script smb-enum-shares.nse -p445 <target_ip>
— script is used to specify script to run
smb-enum-shares.nse is the nmap script we wanted to run to enummerate shares.
After gathering all the required details and confirmation. Next step was to check the user privileges if any misconfiguration has been done.
Here, I discovered that there was Read/Write permission to anonymous users.
After finding guest user is allowed, I tried connecting to smb via guest username to access share , and i was successfullt logged in , i could use commands on the shell
After this stage i decided no to go further and report this issue. I created the PoC , provided all reference materials and submitted the report.
Following the report, Triager asked me to verify the issue as his machine was not reachable to the target. I re-created the PoC and sent it.
Later, triager asked me that if i was correct, cause when he tried to test for write access, but the host was returning with “Access Denied” response.
To further test the privileges, I used “smbmap” tool. I reviewed the privileges again and i found out that the nmap result was a false positive
Upon further investing the permissions, it was found out to be only read permission and write permission was allowed.
I asked triager to move with the degraded severity “High” as i was not able to demonstrate the write access.
After this the issue was finalized. I hope you gained some insights on how you can test for an open SMB service if you come across any.
Thank you for reading till the end. I am open to any comments/feedback/suggestions. Please feel free to connect to me. I will be back soon with a new writeup. Thank You.
Bengali (Bangladesh) · 
English (United States) ·